go.mondoo.com/cnquery@v0.0.0-20231005093811-59568235f6ea/providers/os/resources/logindefs/testdata/debian.toml (about) 1 [files."/etc/login.defs"] 2 content = """ 3 # 4 # /etc/login.defs - Configuration control definitions for the login package. 5 # 6 # Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. 7 # If unspecified, some arbitrary (and possibly incorrect) value will 8 # be assumed. All other items are optional - if not specified then 9 # the described action or option will be inhibited. 10 # 11 # Comment lines (lines beginning with \"#\") and blank lines are ignored. 12 # 13 # Modified for Linux. --marekm 14 15 # REQUIRED for useradd/userdel/usermod 16 # Directory where mailboxes reside, _or_ name of file, relative to the 17 # home directory. If you _do_ define MAIL_DIR and MAIL_FILE, 18 # MAIL_DIR takes precedence. 19 # 20 # Essentially: 21 # - MAIL_DIR defines the location of users mail spool files 22 # (for mbox use) by appending the username to MAIL_DIR as defined 23 # below. 24 # - MAIL_FILE defines the location of the users mail spool files as the 25 # fully-qualified filename obtained by prepending the user home 26 # directory before $MAIL_FILE 27 # 28 # NOTE: This is no more used for setting up users MAIL environment variable 29 # which is, starting from shadow 4.0.12-1 in Debian, entirely the 30 # job of the pam_mail PAM modules 31 # See default PAM configuration files provided for 32 # login, su, etc. 33 # 34 # This is a temporary situation: setting these variables will soon 35 # move to /etc/default/useradd and the variables will then be 36 # no more supported 37 MAIL_DIR /var/mail 38 #MAIL_FILE .mail 39 40 # 41 # Enable logging and display of /var/log/faillog login failure info. 42 # This option conflicts with the pam_tally PAM module. 43 # 44 FAILLOG_ENAB yes 45 46 # 47 # Enable display of unknown usernames when login failures are recorded. 48 # 49 # WARNING: Unknown usernames may become world readable. 50 # See #290803 and #298773 for details about how this could become a security 51 # concern 52 LOG_UNKFAIL_ENAB no 53 54 # 55 # Enable logging of successful logins 56 # 57 LOG_OK_LOGINS no 58 59 # 60 # Enable \"syslog\" logging of su activity - in addition to sulog file logging. 61 # SYSLOG_SG_ENAB does the same for newgrp and sg. 62 # 63 SYSLOG_SU_ENAB yes 64 SYSLOG_SG_ENAB yes 65 66 # 67 # If defined, all su activity is logged to this file. 68 # 69 #SULOG_FILE /var/log/sulog 70 71 # 72 # If defined, file which maps tty line to TERM environment parameter. 73 # Each line of the file is in a format something like \"vt100 tty01\". 74 # 75 #TTYTYPE_FILE /etc/ttytype 76 77 # 78 # If defined, login failures will be logged here in a utmp format 79 # last, when invoked as lastb, will read /var/log/btmp, so... 80 # 81 FTMP_FILE /var/log/btmp 82 83 # 84 # If defined, the command name to display when running \"su -\". For 85 # example, if this is defined as \"su\" then a \"ps\" will display the 86 # command is \"-su\". If not defined, then \"ps\" would display the 87 # name of the shell actually being run, e.g. something like \"-sh\". 88 # 89 SU_NAME su 90 91 # 92 # If defined, file which inhibits all the usual chatter during the login 93 # sequence. If a full pathname, then hushed mode will be enabled if the 94 # user's name or shell are found in the file. If not a full pathname, then 95 # hushed mode will be enabled if the file exists in the user's home directory. 96 # 97 HUSHLOGIN_FILE .hushlogin 98 #HUSHLOGIN_FILE /etc/hushlogins 99 100 # 101 # *REQUIRED* The default PATH settings, for superuser and normal users. 102 # 103 # (they are minimal, add the rest in the shell startup files) 104 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 105 ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games 106 107 # 108 # Terminal permissions 109 # 110 # TTYGROUP Login tty will be assigned this group ownership. 111 # TTYPERM Login tty will be set to this permission. 112 # 113 # If you have a \"write\" program which is \"setgid\" to a special group 114 # which owns the terminals, define TTYGROUP to the group number and 115 # TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign 116 # TTYPERM to either 622 or 600. 117 # 118 # In Debian /usr/bin/bsd-write or similar programs are setgid tty 119 # However, the default and recommended value for TTYPERM is still 0600 120 # to not allow anyone to write to anyone else console or terminal 121 122 # Users can still allow other people to write them by issuing 123 # the \"mesg y\" command. 124 125 TTYGROUP tty 126 TTYPERM 0600 127 128 # 129 # Login configuration initializations: 130 # 131 # ERASECHAR Terminal ERASE character ('\\010' = backspace). 132 # KILLCHAR Terminal KILL character ('\\025' = CTRL/U). 133 # UMASK Default \"umask\" value. 134 # 135 # The ERASECHAR and KILLCHAR are used only on System V machines. 136 # 137 # UMASK is the default umask value for pam_umask and is used by 138 # useradd and newusers to set the mode of the new home directories. 139 # 022 is the \"historical\" value in Debian for UMASK 140 # 027, or even 077, could be considered better for privacy 141 # There is no One True Answer here : each sysadmin must make up his/her 142 # mind. 143 # 144 # If USERGROUPS_ENAB is set to \"yes\", that will modify this UMASK default value 145 # for private user groups, i. e. the uid is the same as gid, and username is 146 # the same as the primary group name: for these, the user permissions will be 147 # used as group permissions, e. g. 022 will become 002. 148 # 149 # Prefix these values with \"0\" to get octal, \"0x\" to get hexadecimal. 150 # 151 ERASECHAR 0177 152 KILLCHAR 025 153 UMASK 022 154 155 # 156 # Password aging controls: 157 # 158 # PASS_MAX_DAYS Maximum number of days a password may be used. 159 # PASS_MIN_DAYS Minimum number of days allowed between password changes. 160 # PASS_WARN_AGE Number of days warning given before a password expires. 161 # 162 PASS_MAX_DAYS 99999 163 PASS_MIN_DAYS 0 164 PASS_WARN_AGE 7 165 166 # 167 # Min/max values for automatic uid selection in useradd 168 # 169 UID_MIN 1000 170 UID_MAX 60000 171 # System accounts 172 #SYS_UID_MIN 100 173 #SYS_UID_MAX 999 174 175 # 176 # Min/max values for automatic gid selection in groupadd 177 # 178 GID_MIN 1000 179 GID_MAX 60000 180 # System accounts 181 #SYS_GID_MIN 100 182 #SYS_GID_MAX 999 183 184 # 185 # Max number of login retries if password is bad. This will most likely be 186 # overriden by PAM, since the default pam_unix module has it's own built 187 # in of 3 retries. However, this is a safe fallback in case you are using 188 # an authentication module that does not enforce PAM_MAXTRIES. 189 # 190 LOGIN_RETRIES 5 191 192 # 193 # Max time in seconds for login 194 # 195 LOGIN_TIMEOUT 60 196 197 # 198 # Which fields may be changed by regular users using chfn - use 199 # any combination of letters \"frwh\" (full name, room number, work 200 # phone, home phone). If not defined, no changes are allowed. 201 # For backward compatibility, \"yes\" = \"rwh\" and \"no\" = \"frwh\". 202 # 203 CHFN_RESTRICT rwh 204 205 # 206 # Should login be allowed if we can't cd to the home directory? 207 # Default in no. 208 # 209 DEFAULT_HOME yes 210 211 # 212 # If defined, this command is run when removing a user. 213 # It should remove any at/cron/print jobs etc. owned by 214 # the user to be removed (passed as the first argument). 215 # 216 #USERDEL_CMD /usr/sbin/userdel_local 217 218 # 219 # If set to yes, userdel will remove the user's group if it contains no 220 # more members, and useradd will create by default a group with the name 221 # of the user. 222 # 223 # Other former uses of this variable such as setting the umask when 224 # user==primary group are not used in PAM environments, such as Debian 225 # 226 USERGROUPS_ENAB yes 227 228 # 229 # Instead of the real user shell, the program specified by this parameter 230 # will be launched, although its visible name (argv[0]) will be the shell's. 231 # The program may do whatever it wants (logging, additional authentification, 232 # banner, ...) before running the actual shell. 233 # 234 # FAKE_SHELL /bin/fakeshell 235 236 # 237 # If defined, either full pathname of a file containing device names or 238 # a \":\" delimited list of device names. Root logins will be allowed only 239 # upon these devices. 240 # 241 # This variable is used by login and su. 242 # 243 #CONSOLE /etc/consoles 244 #CONSOLE console:tty01:tty02:tty03:tty04 245 246 # 247 # List of groups to add to the user's supplementary group set 248 # when logging in on the console (as determined by the CONSOLE 249 # setting). Default is none. 250 # 251 # Use with caution - it is possible for users to gain permanent 252 # access to these groups, even when not logged in on the console. 253 # How to do it is left as an exercise for the reader... 254 # 255 # This variable is used by login and su. 256 # 257 #CONSOLE_GROUPS floppy:audio:cdrom 258 259 # 260 # If set to \"yes\", new passwords will be encrypted using the MD5-based 261 # algorithm compatible with the one used by recent releases of FreeBSD. 262 # It supports passwords of unlimited length and longer salt strings. 263 # Set to \"no\" if you need to copy encrypted passwords to other systems 264 # which don't understand the new algorithm. Default is \"no\". 265 # 266 # This variable is deprecated. You should use ENCRYPT_METHOD. 267 # 268 #MD5_CRYPT_ENAB no 269 270 # 271 # If set to MD5 , MD5-based algorithm will be used for encrypting password 272 # If set to SHA256, SHA256-based algorithm will be used for encrypting password 273 # If set to SHA512, SHA512-based algorithm will be used for encrypting password 274 # If set to DES, DES-based algorithm will be used for encrypting password (default) 275 # Overrides the MD5_CRYPT_ENAB option 276 # 277 # Note: It is recommended to use a value consistent with 278 # the PAM modules configuration. 279 # 280 ENCRYPT_METHOD SHA512 281 282 # 283 # Only used if ENCRYPT_METHOD is set to SHA256 or SHA512. 284 # 285 # Define the number of SHA rounds. 286 # With a lot of rounds, it is more difficult to brute forcing the password. 287 # But note also that it more CPU resources will be needed to authenticate 288 # users. 289 # 290 # If not specified, the libc will choose the default number of rounds (5000). 291 # The values must be inside the 1000-999999999 range. 292 # If only one of the MIN or MAX values is set, then this value will be used. 293 # If MIN > MAX, the highest value will be used. 294 # 295 # SHA_CRYPT_MIN_ROUNDS 5000 296 # SHA_CRYPT_MAX_ROUNDS 5000 297 298 ################# OBSOLETED BY PAM ############## 299 # # 300 # These options are now handled by PAM. Please # 301 # edit the appropriate file in /etc/pam.d/ to # 302 # enable the equivelants of them. 303 # 304 ############### 305 306 #MOTD_FILE 307 #DIALUPS_CHECK_ENAB 308 #LASTLOG_ENAB 309 #MAIL_CHECK_ENAB 310 #OBSCURE_CHECKS_ENAB 311 #PORTTIME_CHECKS_ENAB 312 #SU_WHEEL_ONLY 313 #CRACKLIB_DICTPATH 314 #PASS_CHANGE_TRIES 315 #PASS_ALWAYS_WARN 316 #ENVIRON_FILE 317 #NOLOGINS_FILE 318 #ISSUE_FILE 319 #PASS_MIN_LEN 320 #PASS_MAX_LEN 321 #ULIMIT 322 #ENV_HZ 323 #CHFN_AUTH 324 #CHSH_AUTH 325 #FAIL_DELAY 326 327 ################# OBSOLETED ####################### 328 # # 329 # These options are no more handled by shadow. # 330 # # 331 # Shadow utilities will display a warning if they # 332 # still appear. # 333 # # 334 ################################################### 335 336 # CLOSE_SESSIONS 337 # LOGIN_STRING 338 # NO_PASSWORD_CONSOLE 339 # QMAIL_DIR 340 """